Migrating users and pwd from AD to SQL Server - sql-server

Let me describe the problem, my current portal is using AD login and pwd details to authenticate external users. I will have the new portal which will keep logins and pwds in SQL Server in a table. I need to migrate logins/pwds from AD domain to the sql database so external users can use their old password. Is it possible? How should i approach that?
Thank you for any help,
Rafal

Gathering the list of usernames should not be a problem. However SQL Server stores hashed versions of passwords, and presumably Active Directory does this differently. I don't see any solution except to create a bridge application under Active Directory that logs them into SQL Server under a temporary password and let's them assign a new password.

The permissions should be with the databases. Perhaps you've lost the association between the server logins and the database users. See if their SIDs are different. If so you can fix them with
ALTER USER with login =
or
exec sp_change_users_login (check books online for how to use this)
http://technet.microsoft.com/en-us/library/ms174378.aspx

Related

Access multiple database in Azure SQL

I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.

Active Directory Last Name Change and SQL Windows Authentication Hundreds of Databases

I have a user that has changed their last name. They access many different SQL databases across dozens of servers with Windows Authentication.
What is the best way to update their last name other than creating a new AD account and migrating them over to the new AD account?
Thank you johannes krackowizer  for your valuable suggestion. Posting your suggestion as an answer to help other community members
Even if you changed user last name, it won't affect SQL Server.
While setting up login in SQL Server, you have to enter username and domain of the account.
After that, it will go to Windows and grabs the Security Identifier(SID) of the account
It stores both in the SQL Server
So, when you change user's last name in Windows, the SID will remain same.
When the user is logging to SQL Server, the SID will be passed from client to server that verifies against the database.
To know more about SIDs, find the link below:
SQL Server Logins, Users and Security Identifiers (SIDs) (sqlshack.com) by Simon Liew

SQL server & Azure active directory - creating new contained azure ad guest users

I'm trying to create database users that are integrated with azure active directory. All of our users are guest users. I've been following multiple articles on how to create users in the SQL db but none have worked.
For example, this article: https://www.mssqltips.com/sqlservertip/5242/adding-users-to-azure-sql-databases/
Suggest to create users like so:
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
This yields the error:
Principal 'name#domain.comm' could not be found or this principal type is not supported.
Googling this error lands me on stackoverflow post (https://dba.stackexchange.com/questions/148325/add-active-directory-user-for-azure-sql-db):
which suggests:
CREATE USER [name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com] FROM EXTERNAL PROVIDER
and accesses:
EXEC sp_addrolemember 'db_datareader', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
EXEC sp_addrolemember 'db_datawriter', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
and this does not give an error, but it also does not provide access to the database. Since I get error NT AUTHORITY/ANONYMOUS LOGIN
I also tried to create an AAD group and provide that group access, also no error here but couldn't login either.
Couple of notes:
All IP addresses are allowed on the firewall
all users have been added in sql db IAM (not sure if this is even necessary)
I've enabled Active Directory Admin in the sql server, I put the subscription admin here
This is also the users with which I created users in the SQL DB
I'm able to create native sql users without a problem
Still I'm only able to login using the Active Directory Admin, and no other user is able to login.
Any advice on how I can login to my Azure sql database using windows credentials from Azure Active Directory?
When using external users, you need to use the "mangled user principal name" when adding them.
That's this one:
CREATE USER [name_domain.com#EXT##<your-azure-ad-default-domain>.onmicrosoft.com] FROM EXTERNAL PROVIDER
Secondly, the users will be created only in that database; they cannot connect to master.
So you need to choose the DB to connect to.
You may also need to specify the AAD tenant id in advanced connection settings.
The reason you might need to do this is because by default an external user will login to their home tenant. Which is not the one connected to your DB. So you may need to specify the tenant to have them explicitly login against your tenant.

SQL Login created but not mapped - user already exists - is there any connection between?

Greetings,
When I login into a particular MSSQL database as sa I see the following: somebody moved a database from server A to server B using restore option. I can see all the users in place (restored along with the database) - great. There are logins previously created on server A - great. All of those logins have sysadmin role. I think there's one problem - I don't see any mappings done between logins and users on server B (currently I have no access to Server A so I can't look at the configuration).
According to security properties - all of those 'local' database users are 'SQL user without login' - but I'm sure a proper application uses those users on a regular basis and there are configuration files where passwords are stored.
Question #1 - if there's a login with sysadmin role and there's a local database user of the same name (as login) - does the application use login or local db user in order to work properly? (there's no mapping between the two)
Question #2 - should mapping be done between all the logins and corresponding database users when moved from one server to another? At the moment there isn't any mapping done and my cooworkers are using logins with sysadmin role to access whole database.
Regards,
1) If a particular login has the sysadmin role the application or person using this login can do anything on the database server. It is generally not considered good practice to have a lot of sysadmin users because it opens up the database server (and more) to security breaches.
2) Mapping SQL logins to database users makes sense if the users have minimal server-wide permissions and if you want to assign several certain data access rights in different databases. For example, you have a login X but users Y and Z and want to have read-only permissions for user Y in database Y but read-write permissions for user Z in database Z; in this case mapping can be useful.
There is something else you should be mindful of. If you backup a database (including database SQL users) on server A and restore the database on server B and the database users that are residing on server A were not created on server B using the same SID for the corresponding login(s) you end up with orphaned users, meaning the name of the login is not important to SQL Server but the SID of the login is.
You can find the SIDs in system login tables:
SELECT * FROM sys.sql_logins
SELECT * FROM sys.syslogins
To make sure the login on both servers is exactly the same (same SID!) you have to create the logins using a script like this:
CREATE LOGIN MyTestUser WITH PASSWORD=N'!#MyTestPassword#$', SID=0x552C84CB83802C4A801C670265CCAFA4, DEFAULT_DATABASE=tempdb, DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
Hopefully this helps.

Copying SQL Server Express database to another server

I need to copy a SQL Server Express database from one one server to another (virtual) server.
I know how to do this for the database itself - with a backup and restore. I have also looked at this and this which show how to script this - that's great.
However, I also need the permissions to go with it but can't figure out how to do that.
Any pointers would be warmly welcomed.
The logins need to exist already on the destination server, but once they exist, you can wire-up the logins back to the users with a script like this:
sp_change_users_login 'Update_One', 'user-name', 'login-name'
More information on sp_change_users_login can be found on MSDN
Logins are at a server level. Users are at a per-database level. Generally I keep the login name and user name the same to avoid confusion, but they can be different. The Users define the permissions within the database and you've not lost them, just the link to the login.
As an alternative to sp_change_users_login
ALTER USER username WITH LOGIN = newlogin

Resources